[crypto] Check if byte-copy was successful

nasahlpa · nasahlpa · commit 1250168b2d10 · 2025-11-19T09:00:24.000+01:00
After a byte-wise copy using randomized_bytecopy() use the function consttime_memeq_byte() to check if copying the data was successful. This is a FI mitigation. Closes #28753. Signed-off-by: Pascal Nasahl <nasahlpa@lowrisc.org>
diff --git a/sw/device/lib/base/hardened_memory.c b/sw/device/lib/base/hardened_memory.c
@@ -265,6 +265,10 @@ status_t randomized_bytecopy(void *restrict dest, const void *restrict src,
   RANDOM_ORDER_HARDENED_CHECK_DONE(order);
   HARDENED_CHECK_EQ(count, byte_len);
 
+  // Check if copying the data was successful.
+  HARDENED_CHECK_EQ(consttime_memeq_byte(dest, src, byte_len),
+                    kHardenedBoolTrue);
+
   return OTCRYPTO_OK;
 }
 
diff --git a/sw/device/lib/base/hardened_memory.h b/sw/device/lib/base/hardened_memory.h
@@ -146,7 +146,9 @@ status_t hardened_xor_in_place(uint32_t *OT_RESTRICT x,
  * Copy memory between non-overlapping regions with a randomized byte traversal.
  *
  * CAUTION! This function is not considered as secure as `hardened_memcpy` due
- * to the byte-sized memory accesses vs. 32b word accesses.
+ * to the byte-sized memory accesses vs. 32b word accesses. After copying the
+ * data, this function uses `consttime_memeq_byte()` to check if the data was
+ * copied correctly.
  *
  * @param dest the region to copy to.
  * @param src the region to copy from.

Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,10 @@ status_t randomized_bytecopy(void restrict dest, const void restrict src,`
`265`	`265`	`RANDOM_ORDER_HARDENED_CHECK_DONE(order);`
`266`	`266`	`HARDENED_CHECK_EQ(count, byte_len);`
`267`	`267`
	`268`	`+ // Check if copying the data was successful.`
	`269`	`+ HARDENED_CHECK_EQ(consttime_memeq_byte(dest, src, byte_len),`
	`270`	`+ kHardenedBoolTrue);`
	`271`	`+`
`268`	`272`	`return OTCRYPTO_OK;`
`269`	`273`	`}`
`270`	`274`
Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,9 @@ status_t hardened_xor_in_place(uint32_t *OT_RESTRICT x,`
`146`	`146`	`* Copy memory between non-overlapping regions with a randomized byte traversal.`
`147`	`147`	`*`
`148`	`148`	* CAUTION! This function is not considered as secure as `hardened_memcpy` due
`149`		`- * to the byte-sized memory accesses vs. 32b word accesses.`
	`149`	`+ * to the byte-sized memory accesses vs. 32b word accesses. After copying the`
	`150`	+ * data, this function uses `consttime_memeq_byte()` to check if the data was
	`151`	`+ * copied correctly.`
`150`	`152`	`*`
`151`	`153`	`* @param dest the region to copy to.`
`152`	`154`	`* @param src the region to copy from.`